On 18/02/16 11:28, "Ioan-Adrian Ratiu" <[email protected]> wrote:
>Hello > >On Thu, 18 Feb 2016 11:04:22 +0200 >Markus Lehtonen <[email protected]> wrote: > >> Hi, >> >> >> >> On 17/02/16 17:41, "Ioan-Adrian Ratiu" >> <[email protected] on behalf of >> [email protected]> wrote: >> >> >Implement local ipk signing logic inside the gpg backend and add a new >> >bbclass which configures signing similar to how rpm does it. >> > >> >The ipk signing process is a bit different from rpm: >> > - Signatures are stored outside ipk files; opkg connects to a feed >> >server and downloads them to verify a package. >> > - Signatures are of two types (both supported by opkg): binary or >> >ascii armoured. By default we sign using ascii armoured. >> > - Public keys are stored on targets to verify ipks using the >> >opkg-keyrings recipe. >> > >> >Signed-off-by: Ioan-Adrian Ratiu <[email protected]> >> >--- >> > meta/classes/package_ipk.bbclass | 6 +++++ >> > meta/classes/sign_ipk.bbclass | 55 >> > ++++++++++++++++++++++++++++++++++++++++ >> > meta/lib/oe/gpg_sign.py | 39 ++++++++++++++++++++++++++++ >> > 3 files changed, 100 insertions(+) >> > create mode 100644 meta/classes/sign_ipk.bbclass >> > >> >diff --git a/meta/classes/package_ipk.bbclass >> >b/meta/classes/package_ipk.bbclass >> >index 51bee28..4f5bbd0 100644 >> >--- a/meta/classes/package_ipk.bbclass >> >+++ b/meta/classes/package_ipk.bbclass >> >@@ -246,6 +246,12 @@ python do_package_ipk () { >> > bb.utils.unlockfile(lf) >> > raise bb.build.FuncFailed("opkg-build execution failed") >> > >> >+ if d.getVar('IPK_SIGN_PACKAGES', True) == '1': >> >+ ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR')) >> >+ ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, >> >d.getVar('PACKAGE_ARCH', True)) >> >+ d.setVar('IPK_TO_SIGN', ipk_to_sign) >> >+ bb.build.exec_func("sign_ipk", d) >> >+ >> > cleanupcontrol(root) >> > bb.utils.unlockfile(lf) >> > >> >diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass >> >new file mode 100644 >> >index 0000000..cb22bb4 >> >--- /dev/null >> >+++ b/meta/classes/sign_ipk.bbclass >> >@@ -0,0 +1,55 @@ >> >+# Class for generating signed IPK packages. >> >+# >> >+# Configuration variables used by this class: >> >+# IPK_GPG_PASSPHRASE_FILE >> >+# Path to a file containing the passphrase of the signing key. >> >+# IPK_GPG_NAME >> >+# Name of the key to sign with. >> >+# IPK_GPG_BACKEND >> >+# Optional variable for specifying the backend to use for >> >signing. >> >+# Currently the only available option is 'local', i.e. local >> >signing >> >+# on the build host. >> >+# IPK_GPG_SIGNATURE_TYPE >> >+# Optional variable for specifying the type of gpg signatures, >> >can be: >> >+# 1. Ascii armored (ASC), default if not set >> >+# 2. Binary (BIN) >> >+# GPG_BIN >> >+# Optional variable for specifying the gpg binary/wrapper to use >> >for >> >+# signing. >> >+# GPG_PATH >> >+# Optional variable for specifying the gnupg "home" directory: >> >+# >> >+ >> >+inherit sanity >> >+ >> >+IPK_SIGN_PACKAGES = '1' >> >+IPK_GPG_BACKEND ?= 'local' >> >+IPK_GPG_SIGNATURE_TYPE ?= 'ASC' >> >+ >> >+python () { >> >+ # Check configuration >> >+ for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'): >> >+ if not d.getVar(var, True): >> >+ raise_sanity_error("You need to define %s in the config" % >> >var, d) >> >+ >> >+ sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True) >> >+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN": >> >+ raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use >> >either ASC or BIN" % sigtype) >> >+} >> >+ >> >+python sign_ipk () { >> >+ from oe.gpg_sign import get_signer >> >+ >> >+ ipk_file = d.getVar('IPK_TO_SIGN') >> >+ bb.debug(1, 'Signing ipk: %s' % ipk_file) >> >+ >> >+ signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True)) >> >+ >> >+ sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True) >> >+ is_ascii_sig = (sig_type.upper() != "BIN") >> >+ >> >+ signer.sign_ipk(ipk_file, >> >+ d.getVar('IPK_GPG_NAME', True), >> >+ d.getVar('IPK_GPG_PASSPHRASE_FILE', True), >> >+ is_ascii_sig) >> >+} >> >> To me, it would be seem more straightforward to not circulate ipk_to_sign >> through 'd'. Just define a regular python function like >> def sign_ipk(d, ipk_to_sign): >> ... >> >> And then in package_ipk.bbclass just do "sign_ipk(d, ipk_to_sign)" instead >> of bb.build.exec_func("sign_ipk", d)" >> >> >> >> >> >diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py >> >index ada1b2f..138499b 100644 >> >--- a/meta/lib/oe/gpg_sign.py >> >+++ b/meta/lib/oe/gpg_sign.py >> >@@ -1,5 +1,6 @@ >> > """Helper module for GPG signing""" >> > import os >> >+import sys >> > >> > import bb >> > import oe.utils >> >@@ -50,6 +51,44 @@ class LocalSigner(object): >> > bb.error('rpmsign failed: %s' % proc.before.strip()) >> > raise bb.build.FuncFailed("Failed to sign RPM packages") >> > >> >+ def sign_ipk(self, ipkfile, keyid, passphrase_file, armor=True): >> >+ """Sign IPK files""" >> >+ import subprocess >> >+ from subprocess import Popen >> >+ >> >+ cmd = [self.gpg_bin, "-q", "--batch", "--yes", "-b", "-u", keyid] >> >+ if self.gpg_path: >> >+ cmd += ["--homedir", self.gpg_path] >> >+ if armor: >> >+ cmd += ["--armor"] >> >+ >> >+ try: >> >+ keypipe = os.pipe() >> >+ >> >+ # Need to add '\n' in case the passfile does not have it >> >+ with open(passphrase_file) as fobj: >> >+ os.write(keypipe[1], fobj.readline() + '\n') >> >+ >> >+ cmd += ["--passphrase-fd", str(keypipe[0])] >> >+ cmd += [ipkfile] >> >+ >> >+ gpg_proc = Popen(cmd, stdin=subprocess.PIPE) >> >+ gpg_proc.wait() >> >+ >> >+ os.close(keypipe[1]); >> >+ os.close(keypipe[0]); >> >+ >> >+ except IOError as e: >> >+ bb.error("IO error ({0}): {1}".format(e.errno, e.strerror)) >> >+ raise bb.build.FuncFailed("Failed to sign IPK packages") >> >+ except OSError as e: >> >+ bb.error("OS error ({0}): {1}".format(e.errno, e.strerror)) >> >+ raise bb.build.FuncFailed("Failed to sign IPK packages") >> >+ except: >> >+ bb.error("Unexpected error: {1}".format(sys.exc_info()[0])) >> >+ raise bb.build.FuncFailed("Failed to sign IPK packages") >> >+ >> >+ >> > def detach_sign(self, input_file, keyid, passphrase_file, >> > passphrase=None, armor=True): >> > """Create a detached signature of a file""" >> > import subprocess >> >> Couldn't you just use detach_sign() instead of introducing sign_ipk(). To me >> the functionality seems identical. > >The functionality is almost identical, yes, and consolidating it into one >function is a very good idea. I'll do it but I have one question. > >The only diference between them is the usage in detach-sign of gpg's >"--with-passphrase" arg, and that arg seems to cause some errors on my system: >"gpg: signing failed: Inappropriate ioctl for device" You mean the "--passphrase-file" option? I don't see any "--with-passphrase" option anywhere. The problem sounds really strange. What host OS and gpg version do you have? I'd like to understand what is happening there. >I have not managed to reliably reproduce and find the cause of this issue. >However, if we always open the file in python and read directly in a pipe which >we always pass to gpg using "--passphrase-fd", the error goes away. > >Is using something like the following in detach_sign() ok with you? > >with open(passphrase_file) as fobj: > os.write(keypipe[1], fobj.readline() + '\n') > >cmd += ["--passphrase-fd", str(keypipe[0])] If we need to do this, why do you want to use pipes? Why not just something like with open(passphrase_file) as fobj: job.communicate(fobj.readline() + '\n') Thanks, Markus -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
